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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 9/30/08 
has been entered. 

2. Claims 1-17 are pending. 

Response to Amendment 

3. The Declaration filed on 9/30/08 under 37 CFR 1 .131 has been considered but is 
ineffective to overcome the Christodorescu reference. The Applicant has stated that "I 
prepared and retained sole custody of the Christodorescu Presentation prior to its public 
disclosure. The first public disclosure of the Christodorescu Presentation was after July 
29, 2002. The date of the presentation is not the date that the presentation was made 
publicly available." According to MPEP even if the invention is hidden, inventor who puts 
article embodying the invention in public view is barred from obtaining patent as the 
Invention is in Public Use. The proper test for Public Use is whether (1 ) the article was 
accessible to the public; or (2) was it commercially exploited. Thus the test for public 
use prong includes the nature of the activity that occurred in public; public access to the 
use; confidentiality obligations imposed on members of the public who observed the 
use; and commercial exploitation, (see MPEP 2133.03) The Applicant has to state 
where, when and to whom the presentation was made. According the publication 
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retrieved from the Internet the date of the publication is prior to July 29, 2002 and the 
place at the "University of Wisconsin, Madison". 

Specification 

1. The specification is objected to as failing to provide proper antecedent basis for 
the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01 (o). Correction 
of the following is required: The term "computer readable hardware storage medium" 
lacks antecedent basis in the specification. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

1 . Claims 1-3 and 6-10 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Nachenberg U.S. Patent Number 6,357,008 in view of Christodorescu "Detecting 
Malicous Patterns in Executables via Model Checking" University of Wisconsin, July 12, 
2002, page 1-15. 
As per claim 1 : 
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Nachenberg teaches a computer program for identifying malicious portions in a 
suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating 
a logically equivalent standardized version of the suspect program; (col. 5, lines 27-39; 
col. 6, line 53-col. 7, line 22) 

a library of standardized malicious code portions; (col. 7, line 23-col. 8, line 31; 
col. 9, lines 26-65) and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code portion is 
present in the suspect program, (col. 9, line 66-col. 10, line 10; col. 15, line 38-col. Col. 
16, line 63) 

Nachenberg does not explicitly disclose creating a logically equivalent 
standardized version f the suspect program without executing the suspect program. 
Christodorescu discloses creating a logically equivalent standardized version f the 
suspect program without executing the suspect program, (page 12-24) Therefore it 
would have been obvious to one ordinary skill in the art at the time the invention was 
made to modify the method disclosed by Nachenberg with Christodorescu in order to 
analyze the program semantic structure to check the presence of malicious properties, 
(page 12, Christodorescu) 
As per claim 2: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg further teaches wherein the 
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standardized version identifies the execution order of instructions of the suspect 
program and wherein the detector portion reviews the instructions of the standardized 
version according to the execution order, (col. 2, line 38-col. 4, line 65; col. 7, line 23- 
col. 8, line 31; col. 9, line 26- col. 10, line 10; col. 15, line 38-col. Col. 16, line 63) 
As per claim 3: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the preprocessor 
identifies the execution order of the instructions by generation of a control-flow listing of 
the instructions, (col. 2, line 38-col. 4, line 65; col. 9, lines 26-67) 
As per claim 6: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg further teaches wherein the 
standardized version removes irrelevant portions of the suspect program, (col. 13, line 
42-col. 15, line 37) 
As per claim 7: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the preprocessor 
removes irrelevant portions by identifying irrelevant portions to the detector so that the 
detector ignores identified irrelevant portions when reviewing the standardized version, 
(col. 13, line 42-col. 15, line 37) 
As per claim 8: 
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The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the irrelevant 
portions are one or more nop instructions, (col. 13, line 42-col. 15, line 37) 
As per claim 9: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the standardized 
version uses uninterpreted variables, (col. 13, line 42-col. 15, line 37) 
As per claim 10: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the suspect 
program is a binary executable and wherein the preprocessor receives the binary 
executable to generate a listing of instructions and data values, (col. 13, line 42-col. 15, 
line 37) 

2. Claims 4-5 and 11-17 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Nachenberg U.S. Patent Number 6,357,008 in view of Christodorescu "Detecting 
Malicous Patterns in Executables via Model Checking" University of Wisconsin, July 12, 
2002, page 1 -29 in view of Ho et al. (hereinafter Ho) U.S. Patent Number 7,1 88,369. 
As per claims 4 and 14: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. Both references do not explicitly disclose wherein the 
standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions. Ho in analogous art, however, discloses wherein the 
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standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions, (col. 5, lines 25-col. 6, line 40) Therefore it would have 
been obvious to one ordinary skill in the art at the time the invention was made to 
modify the method disclosed by Nachenberg and Christodorescu with Ho in order to 
receive external instructions and for execution and perform their respective antivirus 
functionalities, (col. 6, lines 18-21; Ho) 
As per claims 5 and 15: 

The combination of Nachenberg, Christodorescu and Ho teaches all the subject 
matter as discussed above. In addition, Ho further teaches wherein the standard 
synonym instructions are different in number from the instructions of the suspect 
program to which the synonym instructions map. (col. 5, lines 25-col. 6, line 40) 
As per claims 11 and 16: 

The combination of Nachenberg and Christodorescu teaches all the subject 
matter as discussed above. Both references do not explicitly disclose including a library 
of patterns matching to one or more instructions of the suspect program and wherein 
the preprocessor creates the standardized version by replacing instructions of the 
suspect program with matching ones of the library of patterns and wherein the library of 
standardized malicious code portions are also collections of ones of the library of 
patterns, (col. 5, lines 25-col. 6, line 40) Therefore it would have been obvious to one 
ordinary skill in the art at the time the invention was made to modify the method 
disclosed by Nachenberg with Ho in order to receive external instructions and for 
execution and perform their respective antivirus functionalities, (col. 6, lines 18-21; Ho) 
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As per claims 12 and 17: 

The combination of Nachenberg, Christodorescu and Ho teaches all the subject 

matter as discussed above. In addition, Ho further teaches wherein a pattern is at least 

one instruction logically replacing at least one different instruction in the suspect 

program, (col. 5, lines 25-col. 6, line 40) 

As per claim 13: 

3. The combination of Nachenberg, Christodorescu and Ho teaches all the subject 
matter as discussed above. In addition, Ho further teaches wherein a pattern in a tag 
replacing at least one instruction logically having no substantive effect on the execution 
of the suspect program; a library of patterns is implemented as a look-up table matching 
instructions to the patterns, (col. 5, lines 25-col. 6, line 40) 

4. Claims 1-3 and 6-10 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Nachenberg U.S. Patent Number 6,357,008 in view of Nachenberg US 6,851 ,057 
(hereinafter Nachenberg '057) 

As per claim 1 : 

Nachenberg teaches a computer program for identifying malicious portions in a 
suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating 
a logically equivalent standardized version of the suspect program; (col. 5, lines 27-39; 
col. 6, line 53-col. 7, line 22) 



Application/Control Number: 10/629,292 Page 9 

Art Unit: 2437 

a library of standardized malicious code portions; (col. 7, line 23-col. 8, line 31; 
col. 9, lines 26-65) and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code portion is 
present in the suspect program, (col. 9, line 66-col. 10, line 10; col. 15, line 38-col. Col. 
16, line 63) 

Nachenberg does not explicitly disclose creating a logically equivalent 
standardized version f the suspect program without executing the suspect program. 
Nachenberg '057 in analogous art, however, discloses creating a logically equivalent 
standardized version f the suspect program without executing the suspect program, 
(col. 3, lines 1-67; col. 4, line 51-67; col. 8, line 5-col. 9, line 14) Therefore it would have 
been obvious to one ordinary skill in the art at the time the invention was made to 
modify the method disclosed by Nachenberg with Nachenberg '057 in order to prevent a 
virus from modifying the destination of an existing JMP or CALL instruction anywhere in 
the file to point the location of viral code elsewhere in the file. (col. 5, lines 58-64; 
Nachenberg '057) 
As per claim 2: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg further teaches wherein the 
standardized version identifies the execution order of instructions of the suspect 
program and wherein the detector portion reviews the instructions of the standardized 
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version according to the execution order, (col. 2, line 38-col. 4, line 65; col. 7, line 23- 
col. 8, line 31; col. 9, line 26- col. 10, line 10; col. 15, line 38-col. Col. 16, line 63) 
As per claim 3: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the preprocessor 
identifies the execution order of the instructions by generation of a control-flow listing of 
the instructions, (col. 2, line 38-col. 4, line 65; col. 9, lines 26-67) 
As per claim 6: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg further teaches wherein the 
standardized version removes irrelevant portions of the suspect program, (col. 13, line 
42-col. 15, line 37) 
As per claim 7: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the preprocessor 
removes irrelevant portions by identifying irrelevant portions to the detector so that the 
detector ignores identified irrelevant portions when reviewing the standardized version, 
(col. 13, line 42-col. 15, line 37) 
As per claim 8: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the irrelevant 
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portions are one or more nop instructions, (col. 13, line 42-col. 15, line 37) 
As per claim 9: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the standardized 
version uses uninterpreted variables, (col. 13, line 42-col. 15, line 37) 
As per claim 10: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. In addition, Nachenberg teaches wherein the suspect 
program is a binary executable and wherein the preprocessor receives the binary 
executable to generate a listing of instructions and data values, (col. 13, line 42-col. 15, 
line 37) 

5. Claims 4-5 and 11-17 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Nachenberg U.S. Patent Number 6,357,008 in view of Nachenberg US 6,851 ,057 
(hereinafter Nachenberg '057) in view of Ho et al. (hereinafter Ho) U.S. Patent Number 
7,188,369. 

As per claims 4 and 14: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. Both references do not explicitly disclose wherein the 
standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions. Ho in analogous art, however, discloses wherein the 
standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions, (col. 5, lines 25-col. 6, line 40) Therefore it would have 
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been obvious to one ordinary skill in the art at the time the invention was made to 
modify the method disclosed by Nachenberg and Nachenberg '057 with Ho in order to 
receive external instructions and for execution and perform their respective antivirus 
functionalities, (col. 6, lines 18-21; Ho) 
As per claims 5 and 15: 

The combination of Nachenberg, Nachenberg '057 and Ho teaches all the 
subject matter as discussed above. In addition, Ho further teaches wherein the standard 
synonym instructions are different in number from the instructions of the suspect 
program to which the synonym instructions map. (col. 5, lines 25-col. 6, line 40) 
As per claims 11 and 16: 

The combination of Nachenberg and Nachenberg '057 teaches all the subject 
matter as discussed above. Both references do not explicitly disclose including a library 
of patterns matching to one or more instructions of the suspect program and wherein 
the preprocessor creates the standardized version by replacing instructions of the 
suspect program with matching ones of the library of patterns and wherein the library of 
standardized malicious code portions are also collections of ones of the library of 
patterns, (col. 5, lines 25-col. 6, line 40) Therefore it would have been obvious to one 
ordinary skill in the art at the time the invention was made to modify the method 
disclosed by Nachenberg and Nachenberg '057 with Ho in order to receive external 
instructions and for execution and perform their respective antivirus functionalities, (col. 
6, lines 18-21; Ho) 
As per claims 12 and 17: 
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The combination of Nachenberg, Nachenberg '057 and Ho teaches all the 
subject matter as discussed above. In addition, Ho further teaches wherein a pattern is 
at least one instruction logically replacing at least one different instruction in the suspect 
program, (col. 5, lines 25-col. 6, line 40) 
As per claim 13: 

The combination of Nachenberg, Nachenberg '057 and Ho teaches all the 
subject matter as discussed above. In addition, Ho further teaches wherein a pattern in 
a tag replacing at least one instruction logically having no substantive effect on the 
execution of the suspect program; a library of patterns is implemented as a look-up 
table matching instructions to the patterns, (col. 5, lines 25-col. 6, line 40) 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHEWAYE GELAGAY whose telephone number is 
(571)272-4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/S. Q.I 

Examiner, Art Unit 2437 
/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



